Solved: 9.1 ASA NAT question (why it works)

azore2007 · ‎10-08-2015

I've been stuck with Fortigates for awhile and had to help a customer with their ASA setup.

They state that Guest interface can reach inside hosts/servers.. And when I check, I see that we have no NAT statement between Guest and Inside networks.

There is a permit ip any any from the Guest network and guest network only has a PAT towards Outside interface.

I did test with packet-tracer and it states that sure thing, guest can access inside hosts...Since my ASA knowledge is rusty, can you explain what I have missed?

Interfaces:

interface GigabitEthernet0/0
 description Outside Interface
 nameif Outside-Interface
 security-level 0
 ip address 92.xx.xxx.x0 255.255.255.248 
!
interface GigabitEthernet0/1
 description Internal Interface
 shutdown
 nameif Internal-Interface
 security-level 100
 ip address 192.168.151.1 255.255.255.0 
!
interface GigabitEthernet0/2
 description Guest Outside Interface
 nameif Guest-Interface
 security-level 30
 ip address 192.168.153.1 255.255.255.0 
!
interface GigabitEthernet0/3
 description Internal Link between ASA and core Switch
 nameif FwLink
 security-level 100
 ip address 192.168.152.2 255.255.255.0 
!

Rules:

access-list Guest-Outside_access_in extended permit ip any any

Nat statements:

nat (FwLink,Outside-Interface) source static any any destination static NETWORK_OBJ_192.168.154.0_24 NETWORK_OBJ_192.168.154.0_24 no-proxy-arp route-lookup
!
object network SIP_GW_Internal
 nat (FwLink,Outside-Interface) static SIP_GW_External_NAT
!
nat (Internal-Interface,Outside-Interface) after-auto source dynamic any interface
nat (Guest-Interface,Outside-Interface) after-auto source dynamic any interface
nat (FwLink,Outside-Interface) after-auto source dynamic any interface
access-group Outside-Interface_access_in in interface Outside-Interface
access-group Internal-Interface_access_in in interface Internal-Interface
access-group Guest-Outside_access_in in interface Guest-Interface

Packet-tracer output between Guest network and host behind the FWlink interface

Result of the command: "packet-tracer input Guest-Interface tcp 192.168.153.10 1025 192.168.155.10 80 detailed"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9f346b40, priority=1, domain=permit, deny=false
   hits=164566914, user_data=0x0, cs_id=0x0, l3_type=0x8
   src mac=0000.0000.0000, mask=0000.0000.0000
   dst mac=0000.0000.0000, mask=0100.0000.0000
   input_ifc=Guest-Interface, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.155.0 255.255.255.0 FwLink

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Guest-Outside_access_in in interface Guest-Interface
access-list Guest-Outside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9f4508d0, priority=13, domain=permit, deny=false
   hits=7213873, user_data=0x7fff9b4f02c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
   input_ifc=Guest-Interface, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9e8f77e0, priority=0, domain=nat-per-session, deny=false
   hits=1326441342, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
   input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9f34df10, priority=0, domain=inspect-ip-options, deny=true
   hits=7390624, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
   input_ifc=Guest-Interface, output_ifc=any

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff9e8f77e0, priority=0, domain=nat-per-session, deny=false
   hits=1326441344, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
   input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff9f39b5d0, priority=0, domain=inspect-ip-options, deny=true
   hits=1171119949, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
   input_ifc=FwLink, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 181642208, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Guest-Interface
input-status: up
input-line-status: up
output-interface: FwLink
output-status: up
output-line-status: up
Action: allow

Same-security options are NOT enabled

Show nat output

Result of the command: "show nat"

Manual NAT Policies (Section 1)
1 (FwLink) to (Outside-Interface) source static any any destination static NETWORK_OBJ_192.168.154.0_24 NETWORK_OBJ_192.168.154.0_24 no-proxy-arp route-lookup
translate_hits = 1790288, untranslate_hits = 1881577

Auto NAT Policies (Section 2)
1 (FwLink) to (Outside-Interface) source static SIP_GW_Internal SIP_GW_External_NAT
translate_hits = 1146900323, untranslate_hits = 133790

Manual NAT Policies (Section 3)
1 (Internal-Interface) to (Outside-Interface) source dynamic any interface
    translate_hits = 0, untranslate_hits = 0
2 (Guest-Interface) to (Outside-Interface) source dynamic any interface
    translate_hits = 7103081, untranslate_hits = 69453
3 (FwLink) to (Outside-Interface) source dynamic any interface
    translate_hits = 21942391, untranslate_hits = 896740

Anyone that can explain what I have missed?

I was under the impression that I need NAT statements between a lower security interface -> higher?

Thanks!

Rishabh Seth · ‎10-08-2015

Hi,

There is a change in the way ASA code operates in releases 8.3 and above.

In 8.3 and above there is no NAT control on ASA so that is the reason your configuration is working

without NAT rules.

For more details about other changes in 8.3 version you can refer following link (also refer ASA8.3 release notes):

https://supportforums.cisco.com/document/48646/asa-83-upgrade-what-you-need-know

Hope it helps!!!

Thanks,

R.Seth

Don't forget to mark the answer as correct if it helps in resolving your query!!!

View solution in original post

Rishabh Seth · ‎10-08-2015

Hi,

The security levels along with ACLs is used to permit/ deny access to users in your network.

Use NAT only to translate IP addressed as per your network requirement.

Thanks,

R.Seth

Don't forget to mark the answer as correct if it helps in resolving your query!!!

View solution in original post

Rishabh Seth · ‎10-08-2015

Hi,

There is a change in the way ASA code operates in releases 8.3 and above.

In 8.3 and above there is no NAT control on ASA so that is the reason your configuration is working

without NAT rules.

For more details about other changes in 8.3 version you can refer following link (also refer ASA8.3 release notes):

https://supportforums.cisco.com/document/48646/asa-83-upgrade-what-you-need-know

Hope it helps!!!

Thanks,

R.Seth

Don't forget to mark the answer as correct if it helps in resolving your query!!!

azore2007 · ‎10-08-2015

Fast answer! Appreciated!

Follow up question/clarification

I do not have to think about different security levels then? I only need NAT when I want do to do PAT/change IP addresses instead of the original IP's?

Thanks

Rishabh Seth · ‎10-08-2015

Hi,

The security levels along with ACLs is used to permit/ deny access to users in your network.

Use NAT only to translate IP addressed as per your network requirement.

Thanks,

R.Seth

Don't forget to mark the answer as correct if it helps in resolving your query!!!

azore2007 · ‎10-08-2015

Thanks all for the fast answers.

Now I got so much NAT cleaning to do on other firewalls..ugh

Andre Neethling · ‎10-08-2015

Security Levels are still important. The default behavior will be to allow an initial flow from a higher security level to a lower one. You do not require NAT between interfaces if you do not require NAT. In this scenario the ASA will just route the traffic with it's original ip addressing.

The reason why the flow is allowed from a lower security level (30 on the Guest) to a higher (100 on the inside) is because of the access rule "permit ip any any".